release: 0.39.0

[stainless-app]

Automated Release PR

0.39.0 (2026-06-04)

Full Changelog: v0.38.0...v0.39.0

Features

• api: api update (16484dc)
• api: api update (eb85299)
• api: api update (7465b15)
• api: api update (898829a)
• api: api update (c31c296)
• api: api update (8958b49)
• api: api update (10386a3)
• api: api update (e1f12f8)
• api: api update (700d0af)
• api: api update (d4b2496)
• support setting headers via env (0e3b514)

Bug Fixes

• typescript: upgrade tsc-multi so that it works with Node 26 (bb51450)

Chores

• avoid formatting file that gets changed during releases (cf52108)
• format: run eslint and prettier separately (43ec88d)
• internal: codegen related update (f6cdc59)
• internal: more robust bootstrap script (dd48b06)
• internal: update docs ordering (9ac7b35)
• redact api-key headers in debug logs (9ccb5ff)
• restructure docs search code (8a752b4)
• tests: remove redundant File import (1f3a018)
• update SDK settings (5f5049a)

Documentation

• update http mcp docs (6f8f5a6)

---

This pull request is managed by Stainless's GitHub App.

The semver version number is based on included commit messages. Alternatively, you can manually set the version number in the title of this pull request.

For a better experience, it is recommended to use either rebase-merge or squash-merge when merging this pull request.

🔗 Stainless website
📚 Read the docs
🙋 Reach out for help or questions

[stainless-app]

🧪 Testing

To try out this version of the SDK:

npm install 'https://pkg.stainless.com/s/hyperspell-typescript/16484dc79e9cfe7960356b683d977295ea0ee931/dist.tar.gz'

Expires at: Fri, 03 Jul 2026 00:33:12 GMT
Updated at: Wed, 03 Jun 2026 00:33:12 GMT

[canaries-inc]

🐤 Canary Summary

This is an automated release PR with no UI/UX changes:

• Version bumped from 0.38.0 to 0.38.1 across all package files
• Updated npm publishing workflow authentication from OIDC to token-based
• Modified release scripts to use NPM_TOKEN environment variable
• Updated changelog and configuration metadata
• No user-facing UI components, styling, or application logic affected

---

---

View PR tests on Canary

[canaries-inc]

🐤 Canary Proposed Tests

No testable user journeys found for this PR.

[entelligence-ai-pr-reviews]

---

Confidence Score: 5/5 - Safe to Merge

Safe to merge — this appears to be a standard release bump to version 0.38.1 with no identified logic, security, or correctness issues surfaced during review. The automated analysis found zero critical, significant, or medium-severity issues across the reviewed files. While only 4 of 13 changed files received coverage, the absence of any flagged concerns and the nature of a patch release (typically containing minor fixes or version metadata updates) supports a clean merge.

Key Findings:

• No new review comments were generated, indicating no obvious logic bugs, security vulnerabilities, or correctness issues were detected in the analyzed code.
• The PR is a patch release (0.38.1), which typically involves version string updates, changelog entries, and minor bug fixes rather than high-risk architectural changes.
• Zero unresolved pre-existing comments were carried into this review, meaning there is no backlog of known issues being deferred.
• 4 of 13 changed files were reviewed by the heuristic analysis — the unreviewed files represent a minor blind spot, but for a release PR this risk is generally low.

[entelligence-ai-pr-reviews]

EntelligenceAI PR Summary

This PR updates .stats.yml to synchronize metadata with the latest OpenAPI specification version.

• Switched OpenAPI spec URL from percent-encoded path format to a standard path format
• Updated openapi_spec_hash to reflect the new spec hash
• Refreshed config_hash to match the latest API specification state

---

Confidence Score: 3/5 - Review Recommended

Likely safe but review recommended — this PR itself only updates .stats.yml metadata (URL format normalization and hash refreshes), which is low-risk and straightforward. However, four unresolved comments from previous reviews remain open on files in this repository: a logic bug in scripts/fast-format where $FILE_LIST guards on the path string rather than file contents (causing prettier to hang on empty input), a character-offset bug in scripts/utils/postprocess-files.cjs where ts-ignore replacement breaks declaration maps, and an empty-string header key vulnerability in src/client.ts when a line begins with a colon. These pre-existing concerns are not introduced by this PR, but they remain unresolved and involve real correctness and stability issues that warrant attention before or alongside this release.

Key Findings:

• The PR's own changes are confined to .stats.yml — switching the OpenAPI spec URL from percent-encoded to standard path format and updating openapi_spec_hash/config_hash — which carries essentially zero runtime risk.
• An unresolved major bug in scripts/fast-format (L31-L37) incorrectly guards on the non-empty path variable $FILE_LIST instead of the file's contents, meaning prettier can hang when no files have changed.
• An unresolved major bug in scripts/utils/postprocess-files.cjs (L23-L41) causes the ts-ignore replacement to shift character offsets, breaking TypeScript declaration maps and potentially causing incorrect source mappings in the released package.
• An unresolved major issue in src/client.ts (L228-L245) allows an empty-string header key to be written into the headers map when a line starts with a colon (colon === 0), which could silently corrupt HTTP header parsing.
• 2 previous unresolved comment(s) likely resolved in latest diff (score-only signal; thread status unchanged)

Files requiring special attention

• scripts/fast-format
• scripts/utils/postprocess-files.cjs
• src/client.ts
• .stats.yml

[entelligence-ai-pr-reviews]

publish-npm.yml skips NPM_TOKEN validation that bin/publish-npm previously enforced

bin/publish-npm previously had an inline guard that printed a clear error and exited if NPM_TOKEN was unset and OIDC was unavailable. The new bin/publish-npm drops that guard entirely and unconditionally calls npm config set ... "$NPM_TOKEN". The validation was moved to bin/check-release-environment (called only from release-doctor.yml), but publish-npm.yml never calls check-release-environment. If either secret (HYPERSPELL_NPM_TOKEN/NPM_TOKEN) is missing, GitHub Actions resolves the expression to "", so the publish job builds all packages, installs deps, and then fails late at pnpm publish with a cryptic npm auth error instead of the fast, descriptive message.

Prompt to fix with AI

Copy this prompt into your AI coding assistant to fix this issue.

Add a step in `.github/workflows/publish-npm.yml` before 'Publish to NPM' that runs `bash ./bin/check-release-environment` with `env: NPM_TOKEN: ${{ secrets.HYPERSPELL_NPM_TOKEN || secrets.NPM_TOKEN }}`, so the workflow fails fast with a descriptive error if the secret is missing rather than failing late at npm auth after building all packages.

[entelligence-ai-pr-reviews]

NPM_TOKEN empty-string not caught; check moved out of publish path

bin/publish-npm removed its inline NPM_TOKEN guard and now unconditionally calls npm config set with "$NPM_TOKEN". publish-npm.yml sets NPM_TOKEN from secrets with a || fallback; when both secrets are absent it evaluates to empty string (not unset), so bash's -u guard never fires, the auth token is set to "", and the publish silently fails at npm with an opaque auth error. The only [ -z "${NPM_TOKEN}" ] check lives in bin/check-release-environment, which is only invoked by release-doctor.yml (triggered on PRs, not on publish events).

Prompt to fix with AI

Copy this prompt into your AI coding assistant to fix this issue.

Add an explicit NPM_TOKEN check to `publish-npm.yml` before the publish step, OR add `if [ -z "${NPM_TOKEN:-}" ]; then echo 'ERROR: NPM_TOKEN must be set'; exit 1; fi` at the top of `bin/publish-npm` (replacing the unconditional set) so the publish job itself fails fast with a clear message when both secrets are unset.